## Key-privacy in public-key encryption

** Authors: M. Bellare, A. Boldyreva, A. Desai
and D. Pointcheval **
** Abstract: **
We consider a security property of encryption schemes that has been
surfacing increasingly often of late. We call it ``key-privacy'' or
``anonymity''. It asks that an eavesdropper in possession of a
ciphertext not be able to tell which specific key, out of a set of
known public keys, is the one under which the ciphertext was created---
meaning the receiver is anonymous from the point of view of the
adversary. We investigate the anonymity of known encryption
schemes. We prove that the El Gamal scheme provides anonymity under
chosen-plaintext attack assuming the Decision Diffie-Hellman problem
is hard and that the Cramer-Shoup scheme provides anonymity
under chosen-ciphertext attack under the same assumption.
We also consider anonymity for trapdoor permutations. Known attacks
indicate that the RSA trapdoor permutation is not anonymous and
neither are the standard encryption schemes based on it. We provide a
variant of RSA-OAEP that provides anonymity in the random oracle model
assuming RSA is one-way. We also give constructions of anonymous
trapdoor permutations, assuming RSA is one-way, which
yield anonymous encryption schemes in the standard model.

** Ref:** Extended abstract in Advances in Cryptology - Asiacrypt 2001
Proceedings, Lecture Notes in Computer Science Vol. 2248, C. Boyd ed,
Springer-Verlag, 2001. Full paper available below.

** Full paper: ** Available as compressed
postscript, postscript, or
pdf. ( Help if this doesn't work).